Posted
by
Soulskillon Tuesday March 19, 2013 @02:48PM
from the internet-dragging-its-feet-slightly-less dept.

wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."

Could be true, but my ISP is not in the business of serving banner ads, building a profile of all my personal interests, habits, and vices, and there is actually somebody who will pick up the telephone at my ISP unlike Google, which has no actual humans that one is likely to be able to speak with about these concerns.

Google should be viewed as an adversary, and they didn't build that new building right across from spook central for nothing.

My ISP, AT&T has terrible DNS, at least in this area. They randomly take down DNS servers, without replacing them. In case you don't know this leaves customers without any way to access the internet.They occasionally stop serving requests to competitors. For a while the only way that I could reach my work home page from home was to type in the IP address, at least until I switched to Google DNS. It was sort of important because I was an admin.Google DNS just works. I can go to any page I need to go to.

I wasn't remarking on the relative effectiveness of the domain name servers at AT&T vs. Google, I was pointing out that Google seeks more and more information about you, to use for whatever purposes they see fit.

AT&T might do this too but at least they aren't building a profile of you and selling it to anybody with two bits to spend.

Google is certainly building up a profile of everybody who uses any of their sites, and anybody using a page that uses any Google API, and selling this information. No need to lie to me, especially when everybody already knows the truth about Google.

You can see what's in this "profile" by visiting your Google account page. This "profile" consists of some of the pages you visited and things you searched for. Basically, clues to what ads you might be likely to click on. That's all.

We have no guarantee that everything Google knows about you is in your Google profile. They are keeping tabs on everybody who lands on a page that uses Google APIs, they have been busted circumventing privacy controls in browsers, and they are not to be trusted.

The wolf is right there. Everybody can see it. You just need to take your blinders off.

Read up on the details the case where Google was "circumventing privacy controls in browsers". All Google was doing was trying to the the status for the +1 button on the page. A bug in Safari was piling on the extra cookies, which Google ignored.

Or, let's tape on our tin foil hats and look at it from YOUR perspective:

There were a relatively tiny number of people who actually enabled DNT in Safari. And those were people who were not likely to click on ads anyway. But, according to you, the people at Goog

I know (not believe, kow) that Google is doing anything and everything it can to build up profiles of everybody who uses any Google service - visible or not - all of the time. This is their primary job. They are advertisers, trying to make money by selling targeted ads (and perhaps information that allows targeting) to anybody. And yes, I know they were purposefully targeting this Safari bug.

I do not believe that it is possible for advertisers, attorneys, loan brokers, and certain other classes of people

Did the "voices" tell you? Or can you offer us even a tidbit to verify that your claims are anything other than "beliefs"?

Are you saying that you are currently in contact with "some of the highest ranking Googlers" and that they are sharing their nefarious plans with you? Or are you saying that you once went to the same school as someone who now works at Google and you did not like that person at the time?

Could Slashdot please put in some sort of filter to automatically detect this nut and not let him post this on every story? Most the time I am against censorship, but this same comment does not belong on every story posted.

I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Um, poor baby? Do you not know how lame that is, you and those above complaining about the same thing? Gahd! Syrians are re-inventing WW1 warfare, ffs. It takes max. three seconds to spacebar past that crap. Sheesh!

What do Syrians have to do with this? Or are you just an asshole by nature. This is a usability thing that a website developer ought to care about and no, it takes me longer than that, this computer isn't the fastest out there, not with all the larding up of this web 2.0 stuff.

I don't mind that there are long posts here, but it's annoying to have to scroll past them.

Syrians are re-inventing WW1 warfare, ffs.

What do Syrians have to do with this?

Wow you're shallow, as a pane of glass. People are dying out there fighting civil wars, and you're complaining about having to page past stuff you'd prefer not to see.:-|

Again, I ask what does this have to do with a complaint about a usability problem with a website?

"Shallow" refers to your lack of "depth", as in "deep thinking" or "inability to prioritize." Lots of things can be complained about. There's lots that's wrong in the world. But, max. three seconds to spacebar past annoying posts?!? Come on.

I see !@#$ like this all the time. People get five spams a day, and they think it's the end of the world. It drives them to avoid email and use FaceFuck to communicate instead.

Dumbth!

... a pane of glass isn't shallow, it's transparent.

Pardon me. I was previously unaware that you were an idiot. Carry on. Bon chan

Ya kidding?There's always been an option about the text length display on Slashdot. I've adjusted mine more than once.

And then there's the ACs. For me, all ACs get a -2 on their score. It too is in the Slashdot options. Can't be bothered to create an account? I rarely read your shite.

Thirdly, replying to trolls, and then getting modded up in some way simlar to Reddit, Facebook, and any other site that does the thumbs-up shit, only serves to highlight the post to me. I then end up reading the parent troll. G

...probably the most unsexy story I've seen on Slashdot in ages. It's minimally controversial. And it leads to a minimum number of jokes and ridicule. I predict that the Limit, as time approaches infinity, of number of posts = 150.

DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.

Back then, there were two DNS servers out there:

BIND, which was horribly insecure and one of the more significant cause of remote root access security holes

DJBDNS, which was and by and large [nist.gov] is secure, but had a weird maybe-not-open license and lots of quirks

LWN has a good article from that era [lwn.net] to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound [unbound.net] and NSD [nlnetlabs.nl], PowerDNS [powerdns.com], and (shameless plug warning) MaraDNS [maradns.org] (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)

The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.

(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)

(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)

You're right of course; it's just not possible to fully describe the differences between DNSSEC and DNScurve in a 250-word summary written for people who think DNS is just some "boring subject". I chose readable over "pedantically accurate", along with a disclaimer that some details were lost in the interest of brevity and readability.

I had the following conversation with my boss: Check this link out
DNSSEC checker and your domain.. whats DNSSEC?
DNS SECURITY extension.. makes it much harder to redirect my domain by attacking the DNS layer
and you didnt do this on our domains because... ?
Your registar hasnt bothered implementing DNSSEC yet.
OK were moving everything to one that does.

It was like I told him we had no firewall or backups when I put it that way. Bosses dont like to sound in

Frankly, leaving your DNS with the registrars has been a non-starter for close to a decade now. They're notoriously slow at adding features to their DNS management, hilariously inept at making new "marketing directed" changes to the DNS page (in order to lock you in better), etc. The dedicated DNS companies are a better choice because they have to compete on value/features specifically related to DNS.

(We switched away to DNSMadeEasy years ago, but they don't yet do DNSSEC on "primary" domains. Which a

I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?

Those attacks are still going on. This exploit does not require DNSSEC, but the large size of DNSSEC records makes it much more effective. Some DNS servers have implemented rate limiting to deal with this problem.

Please explain how you know that, for example, Microsoft doesn't already do a lot of similar things?

For a start, every new connection you check in with Microsoft by connecting to a Microsoft server and downloading a text file (look up NCSI - and, yes, you can change the registry entries to your own server if you wish, but so can you NOT use Google's DNS servers. I actually use it as a primitive "call home" device should someone be stupid enough to steal my laptop - as soon as it's turned on on an unknown Internet connection, it will try to talk to my server as a connection test, which would give me their IP).

Or time.microsoft.com. Same sort of thing. Hell, a lot of security suites "call home" with details of what pages you're going to in order to see if they are malware, etc. Opera Mini/Mobile "calls home" to a server that could even cache your SSL connections in theory, etc. Just what precisely distinguishes Google from anything else that you have voluntarily installed on your computer?

Your response is the equivalent of stating that since Microsoft murdered someone, I shouldn't be upset that Google did. Further, since we all know Microsoft murdered someone, I am out-of-line for mentioning that Google did.

Guess what Jimmy -- lots of people mention the bad things that M$ does. My post is about the bad things Google does -- and they do LOTS of bad things.

And I call them on those bad things, and the bad things they continue to do.

What's your suggestion then, that all targeted advertising be stopped? Google as a company behaves pretty well in general and exceptionally well when compared to others. If I can get excellent free services in ex have for having targeted ads displayed, sign me up. The cost of the services without the ads is prohibitive. As the GP stated, if you don't like them, don't use them and block a by taking cookies. I don't think you're going to have a lot of luck making collecting information illegal.

I suggest it be made very clear what data is collected and precisely how it is used.

Then let people decide if they want to use the service.

Right now, the only choice is to GUESS how the data is being used, and to GUESS precisely what is being collected. That needs to change.

Outside of the above... Google behaves well? Pfft. They behave as poorly as any large corporation, from what I've seen. Further, as mentioned above, the sort of "if you don't like them, stop talking about it, just don't use them" tho

Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.

Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.

Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.

You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.

Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.

P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.

I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.

For a start, a home DNS server isn't suitable. And if I deploy a nameserver, as I said, you should be deploying two on separate networks. And it's STILL a pain in the arse to sign it all properly. It's just not worth the effort for a small home user, and those who run nameservers now can run DNSSEC now. The point is that few people run nameservers of their own, for good reason.

Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.

If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.

If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:

options { dnssec-validation auto; };

Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.

This would be great for me in China. That is, until google DNS gets blocked completely.
Even using Google DNS in mainland China gives very odd random-seeming replies for requests to certain sites like facebook. It really seems like even request to foreign DNS servers get spoofed (though not consistently, about 1 in 20 reuqests seemed to acually give a facebook server).